Using Java Script as a security model to protect hidden fields
-
I have been in an argument at work involving this and I just want other people to hopefully back me up, but if I am wrong PLEASE let me know. The current belief is that if you check for enabled scripting and deny anyone without that turned on as well as to disable the "Mouse Right Click" and "CTRL-N" that you can prevent users from seeing the source of the page. This would matter because like I asked before, information would be stored in hidden variables due to not using session variables. I am pushing for this change but for the time being that is what the mindset is. What I am asking is will this work, will it not work, and if not what can I tell these guys to convince them that they are wrong? Thanks! Cleako
-
I have been in an argument at work involving this and I just want other people to hopefully back me up, but if I am wrong PLEASE let me know. The current belief is that if you check for enabled scripting and deny anyone without that turned on as well as to disable the "Mouse Right Click" and "CTRL-N" that you can prevent users from seeing the source of the page. This would matter because like I asked before, information would be stored in hidden variables due to not using session variables. I am pushing for this change but for the time being that is what the mindset is. What I am asking is will this work, will it not work, and if not what can I tell these guys to convince them that they are wrong? Thanks! Cleako
That is so wrong it is not even funny. If I ever saw a security module like that actually being implemented I would recommend the developer by downgraded to chasis shiner. There is a rule to web development, If you trust your client your software will not be secure. Sorry but anything on the client side will NEVER be secure.
Brad Australian - Christian Graus on "Best books for VBscript" A big thick one, so you can whack yourself on the head with it.
-
That is so wrong it is not even funny. If I ever saw a security module like that actually being implemented I would recommend the developer by downgraded to chasis shiner. There is a rule to web development, If you trust your client your software will not be secure. Sorry but anything on the client side will NEVER be secure.
Brad Australian - Christian Graus on "Best books for VBscript" A big thick one, so you can whack yourself on the head with it.
i am agree with Brad. You cant secure ur data by using javascript... for example... open any of ur page which is having hidden fields ooand text fields and then copy this code and paste it on to address and press enter. javascript:var x=document.getElementsByTagName("input");alert(x.length); for(var i=0;iRavi Kant Srivastava (System Analyst) HandsOn Technology & Engineering Gurgaon (India) e-mail:ravikant@hte.co.in
-
i am agree with Brad. You cant secure ur data by using javascript... for example... open any of ur page which is having hidden fields ooand text fields and then copy this code and paste it on to address and press enter. javascript:var x=document.getElementsByTagName("input");alert(x.length); for(var i=0;iRavi Kant Srivastava (System Analyst) HandsOn Technology & Engineering Gurgaon (India) e-mail:ravikant@hte.co.in
I agree with the ability to use Java Script but to simply check for client scripting enabled, disabling the right mouse button click, and disabling the CTRL-N for new page which would contain the address bar seems like a bad way to control if someone can see, say, the SSN that someone might store as a hidden variable. Even if you implement this, if someone can use some cross-site scripting somehow, couldnt they get all of those values or some reference to them and then exploit that? Cleako
-
That is so wrong it is not even funny. If I ever saw a security module like that actually being implemented I would recommend the developer by downgraded to chasis shiner. There is a rule to web development, If you trust your client your software will not be secure. Sorry but anything on the client side will NEVER be secure.
Brad Australian - Christian Graus on "Best books for VBscript" A big thick one, so you can whack yourself on the head with it.
That is why I try to tell these folks but there is a developer that has been here for a while whose every word is trusted. I have had argument after argument about doing things like straight SQL in the site code, Java Script to control every action, using Java Script as the only means of validation but requiring that client scripting be enabled, etc etc etc... Cleako
-
I agree with the ability to use Java Script but to simply check for client scripting enabled, disabling the right mouse button click, and disabling the CTRL-N for new page which would contain the address bar seems like a bad way to control if someone can see, say, the SSN that someone might store as a hidden variable. Even if you implement this, if someone can use some cross-site scripting somehow, couldnt they get all of those values or some reference to them and then exploit that? Cleako
ANYTHING client-side can be seen and tempered with, end of story (this includes javascript, hidden form fields, cookies, session IDs, HTTP headers etc.). Javascript is not secure and in terms of security/validation should only be used to enhance the user experience by not requiring a server trip, server-side validation should still be implemented. Besides, what if a perfectly authentic user comes along with no javascript? They won't be able to use the application!
-
ANYTHING client-side can be seen and tempered with, end of story (this includes javascript, hidden form fields, cookies, session IDs, HTTP headers etc.). Javascript is not secure and in terms of security/validation should only be used to enhance the user experience by not requiring a server trip, server-side validation should still be implemented. Besides, what if a perfectly authentic user comes along with no javascript? They won't be able to use the application!
JavaScript can extend and enrich the user experience. There should be a resilent serverside component to check the integretity of data against any tampering as well as hijacking.
Vasudevan Deepak Kumar Personal Homepage Tech Gossips
-
I have been in an argument at work involving this and I just want other people to hopefully back me up, but if I am wrong PLEASE let me know. The current belief is that if you check for enabled scripting and deny anyone without that turned on as well as to disable the "Mouse Right Click" and "CTRL-N" that you can prevent users from seeing the source of the page. This would matter because like I asked before, information would be stored in hidden variables due to not using session variables. I am pushing for this change but for the time being that is what the mindset is. What I am asking is will this work, will it not work, and if not what can I tell these guys to convince them that they are wrong? Thanks! Cleako
cleako wrote:
The current belief is that if you check for enabled scripting and deny anyone without that turned on as well as to disable the "Mouse Right Click" and "CTRL-N" that you can prevent users from seeing the source of the page.
That's ridiculous. Any check for having Javascript enabled has to be done using Javascript, and the only way that the server will know the result is from what the browser sends in the next request, so the server can easily be fooled that the client has Javascript enabled. Also, here are just some of the ways that you can get around the checks: :: Select the "View Source" option in the menu. :: Press Ctrl+U to view source (in Firefox). :: Enable Javascript but disable replacing of the context menu. :: Open the file in the browser cache. :: View the form data in Page info (in Firefox). :: Use a DOM inspector plugin to view the code. :: Use a program other than a browser to request the page. :: Intercept the network traffic to get the source before the browser does.
--- single minded; short sighted; long gone;
-
That is why I try to tell these folks but there is a developer that has been here for a while whose every word is trusted. I have had argument after argument about doing things like straight SQL in the site code, Java Script to control every action, using Java Script as the only means of validation but requiring that client scripting be enabled, etc etc etc... Cleako
Here are the arguments you need. 1. You can see the source of any web page, no matter what you do on the browser. If you managed to lock down the browser, the data can still be seen using a packet sniffer like Wireshark. 2. Since the browser and the transmission media cannot be trusted, the incoming data has to checked at the first point where you can check it and be sure that no one can modify it further. That point is your web server. So, you have to make sure that all data conforms to expected ranges and that no *bad* characters make it through in the parameters that will be used in generating SQL statements. 3. If the incoming data is not sanitized, hackers can send in SQL fragments in such a manner that they can compromise your SQL server. This mechanism is called SQL injection. So, if you really care about security, please use TLS/SSL to encrypt the channel (only needed if sensitive data is involved), validate user input at the server, and use javascript to enhance user experience. Thomas
-
Here are the arguments you need. 1. You can see the source of any web page, no matter what you do on the browser. If you managed to lock down the browser, the data can still be seen using a packet sniffer like Wireshark. 2. Since the browser and the transmission media cannot be trusted, the incoming data has to checked at the first point where you can check it and be sure that no one can modify it further. That point is your web server. So, you have to make sure that all data conforms to expected ranges and that no *bad* characters make it through in the parameters that will be used in generating SQL statements. 3. If the incoming data is not sanitized, hackers can send in SQL fragments in such a manner that they can compromise your SQL server. This mechanism is called SQL injection. So, if you really care about security, please use TLS/SSL to encrypt the channel (only needed if sensitive data is involved), validate user input at the server, and use javascript to enhance user experience. Thomas
That sounds great, now the question is will they believe me the guy that has worked there for 9 years that believes and has convinced others that JavaScript is a good model for security. Cleako